HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-53901Published Modified CNA CIRCL

CVE-2026-53901: Cerebrate before v1.37 allows mass assignment of record identifiers during object creation

Cerebrate before version 1.37 contains a mass-assignment vulnerability in the generic CRUD add path. The add() handler attempted to remove an attacker-supplied id from $params before normalizing the request through __massageInput(). Because the normalized $input could still contain an id field, a user able to reach an affected add endpoint could supply an identifier that should have been server-controlled. Successful exploitation could allow creation of objects with attacker-chosen identifiers, potentially causing unauthorized data manipulation, object spoofing, inconsistent references, or disruption through identifier collisions, depending on the affected model and endpoint permissions. The issue was fixed in v1.37 by removing id from the normalized input before entity patching.

Metrics

CVSS v4.0
8.7
Severity
HIGH
Fixed in
1.37
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A mass-assignment vulnerability in Cerebrate, the open-source threat intelligence sharing platform, allows an unauthenticated network attacker to supply attacker-chosen record identifiers during object creation via the generic CRUD add endpoint. The flaw is reachable over the network with no authentication required, because the add() handler failed to strip the id field after input normalization, letting an attacker-controlled value survive into the entity creation path. Successful exploitation allows an attacker to create objects with arbitrary identifiers, enabling data tampering, object spoofing, inconsistent cross-references, or identifier collision attacks. A patched-image rebuild at v1.37 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-53901 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Cerebrate. Any image containing a Cerebrate version below 1.37 is flagged automatically.

Available
Triage

Triage is available with the full CVSS v4.0 score of 8.7 (HIGH), weighted against each customer organization's per-environment compliance policies, and routed to the appropriate team inbox based on those policies.

Available
Patch

A patched-image rebuild at Cerebrate v1.37 becomes available on HarborGuard for any environment where an affected image is detected. For customers who opt into auto-remediation, HarborGuard can trigger a rebuild, run regression tests, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable add endpoint is exposed over the network, so an attacker must be able to reach the Cerebrate service via HTTP/HTTPS.

  • AuthenticationNot required

    The CVSS vector specifies PR:N, meaning no account or session credential is needed to send a crafted request to the affected endpoint.

  • Victim interactionNot required

    The attack is fully server-side; no user needs to click a link or take any action for exploitation to succeed.

  • Attack complexityDetail

    Attack complexity is low (AC:L), meaning the exploit is straightforward and reliable with no race conditions or special environmental conditions required.

Blast Radius

  • An attacker writes objects into the Cerebrate database with hand-picked identifiers, overriding server-controlled sequencing.
  • Attacker-chosen identifiers can collide with or shadow existing legitimate records, corrupting cross-references between Cerebrate objects such as organisations, sharing groups, or contacts.
  • Spoofed identifiers can cause downstream systems that trust Cerebrate's identifier space to ingest or act on falsified object relationships.
  • Secondary integrity impact in connected scopes (SI:L) means linked or federated Cerebrate nodes may also reflect the tampered identifier data.

How HarborGuard Handles This

Available on HarborGuard: detection of images containing Cerebrate below v1.37 is available the moment the CVE enters the ingestion pipeline. For environments with auto-remediation enabled, HarborGuard can rebuild the affected image at v1.37, execute regression tests against the rebuilt image, and open a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy requires manual approval before image replacement, HarborGuard routes the finding to the designated team inbox with the CVSS 8.7 score and full fix-version detail attached. Customers who cannot immediately upgrade should consider restricting network access to Cerebrate add endpoints via Kubernetes NetworkPolicy or equivalent ingress controls until the v1.37 image is deployed.

See how HarborGuard automates this

Fix available

1.37
Affected packages
  • cerebrate / cerebrate
    < 1.37 (from 0)
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:L/SA:N/U:Amber
References